Two Hacker Groups Responsible for 60% of Crypto Hacks

A report published by blockchain analysis firm Chainalysis has revealed that two separate hacker groups are responsible for up to 60% of all publicly reported cryptocurrency exchange hacks. Further, it is estimated that the two groups combined have stolen approximately 1 billion USD worth of cryptocurrency since the start of their operations. Chainalysis may not be the first name the public thinks of when it comes to cybersecurity, however, the group has earned a solid reputation for illuminating what it terms cryptocrime. The firm made headlines when working with Google it was discovered that that 95% of all ransomware payments made since the start of 2014 were converted into fiat currency via the BTC-e exchange portal. Their investigation led to the arrest of Alexander Vinnick, the CEO of BTC-e at the time.

According to Chainalysis the two prominent groups tracked over a period of years, called Alpha and Beta respectively by the firm, on average stole 90 million USD per hack. Through their analysis, they found that the biggest group is Alpha but that does not mean Beta is by any means too small to ignore. Both groups specialize in breaching exchange portals in order to steal cryptocurrency. They then move the stolen currency through a complex network of wallets and exchanges in an attempt to disguise their origin.

On average, the company says the two hacker groups move funds at least 5,000 times before converting it to fiat (conventional) currency. The firm has also been able to assign certain characteristics to each group. Alpha is described as, “a giant, tightly controlled organization at least partly driven by non-monetary goals.” While Beta is described as, “less organized and smaller organization absolutely focused on the money.”

Two Hacker Groups Responsible for 60% of Crypto Hacks

Once cryptocurrency is stolen and distributed through the complex networks and exchanges both groups will wait for a period of time before converting the stolen funds to fiat currency. The average cooldown period is 40 days, with researchers further saying,

“Once they feel safe, they move quickly. At least 50% of the hacked funds are cashed out through some conversion service within 112 days, and 75% of the hacked funds have been cashed out within 168 days.”

Of the two groups, Alpha places greater emphasis on hiding funds which are done by hiding funds through mass blockchain transactions.

According to the report Alpha sometimes disguises hacks behind 15,000 transactions and usually cashes out up to 75% of the stolen funds within 30 days. Beta does far less to obscure the source of its assets and usually sits on funds for 6 to 18 months before they cash out. The report by Chainalysis is not the only report released recently dealing with cryptocrime. A report released by another blockchain analysis firm CipherTrace further reveals favored methods of attack used by hackers and staggering amounts of funds stolen.

CipherTrace Report

The 26-page report might seem a little daunting but is well worth a read if you have invested in cryptocurrency. In summary, researchers found that hackers stole 1.7 billion USD worth of cryptocurrency in 2018. The biggest challenge facing hackers is turning the cryptocurrency to fiat currency. In order to do this, they need creative ways to circumvent tough new anti-money laundering and counter-terror financing laws across the globe. One creative method used by hackers to launder money is called crypto dusting by the firm. Cryptodusting involves a “company” in this case BestMixer.io giving minuscule amounts of Bitcoin to users along with a message promoting the company’s service, which allows users to mix bitcoin, Litecoin, and Bitcoin Cash. These tiny transactions essentially amounted to a cost-effective mass advertising campaign, sometimes referred to as blockchain spam. Spamming however is not the aim.

The aim of the campaign is far from generous self-promotion. BestMixer.io was sending these tiny amounts to the top-earning wallet addresses in order to effectively taint those addresses. This now means that the tainted addresses has to transact with the mixer. The dusting of so many addresses effectively soiled the owner's reputation and more importantly it is an attempt to confuse blockchain analytics tools in order to circumvent anti-money laundering laws. BestMixer itself is based in Curacao, a top money laundering destination according to the US State Department, and promotes itself as the only legal bitcoin tumbler offering “blockchain analysis resistant coins.” The service offers three tiers of money laundering services. Their premium service appears to promise freshly mined coins, but transaction tracing reveals these coins are cleansed at cryptocurrency exchanges with poor anti-money laundering law policies.

According to the report, the top 10 hacks employed in cryptocrime include:

  • SIM Swapping: An identity theft technique that takes over a victim's mobile device to steal credentials and break into wallets or exchange accounts to steal cryptocurrency.
  • Cryptodusting: A new form of blockchain spam that erodes the recipient's reputation by sending cryptocurrency from known money mixers.
  • Sanction Evasion: Nation states using cryptocurrencies has been promoted by the Iranian and Venezuelan governments to bypass sanctions.
  • Next-Generation Crypto Mixers: Money laundering services that promise to exchange tainted tokens for freshly mined crypto, but in reality, cleanse cryptocurrency through exchanges.
  • Shadow Money Service Businesses: Unlicensed Money Service Businesses (MSBs) banking cryptocurrency without the knowledge of host financial institutions, and thus exposing banks to unknown risk.
  • Datacenter-Scale Crypto Jacking: Takeover attacks that mine for cryptocurrency at a massive scale have been discovered in data centers, including AWS.
  • Lightning Network Transactions: Enable anonymous bitcoin transactions by going "off-chain," and can now scale to $2,150,000.
  • Decentralized Stable Coins: Stabilized tokens that can be designed for use as private coins.
  • Email Extortion and Bomb Threats: Cyber-extortionists stepped up mass-customized phishing emails campaigns using old passwords and spouse names in 2018. Bomb threat extortion scams demanding bitcoin spiked in December.
  • Crypto Robbing Ransomware: Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals private keys while holding user data hostage.

Not only are cyberattacks something to worry about but the unexpected death of admin not leaving access passwords could also rob you of your funds, a total of 146 million USD in cryptocurrency to be exact.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal